Overview

overview

10

Static

static

156335b95b...le.dll

windows7_x64

10

156335b95b...le.dll

windows10_x64

10

Resubmissions

02-02-2022 05:52

220202-gkv33aggfr 10

02-02-2022 05:47

220202-gg54vsggej 10

02-02-2022 05:04

220202-fqg8qagcfl 10

02-02-2022 05:01

220202-fnve9sgcck 10

02-02-2022 04:58

220202-fl8j4sgeh6 10

02-02-2022 04:52

220202-fhc9ssged6 10

02-02-2022 04:44

220202-fc77zsgahr 10

02-02-2022 04:39

220202-e95mpagacp 10

Analysis

  • max time kernel
    74s
  • max time network
    118s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    26-07-2021 12:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.sample.dll

  • Size

    54KB

  • MD5

    f587adbd83ff3f4d2985453cd45c7ab1

  • SHA1

    2715340f82426f840cf7e460f53a36fc3aad52aa

  • SHA256

    156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673

  • SHA512

    37acf3c7a0b52421b4b33b14e5707497cfc52e57322ad9ffac87d0551220afc202d4c0987460d295077b9ee681fac2021bbfdebdc52c829b5f998ce7ac2d1efe

Score
10/10
darksideransomware

Malware Config

Extracted

Path

\Device\HarddiskVolume1\\README.70d4d153.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/ZWQHXVE7MW9JXE5N1EGIP6IMEFAGC7LNN6WJCBVKJFKB5QXP6LUZV654ASG7977V When you open our website, put the following data in the input form: Key: lmrlfxpjZBun4Eqc4Xd4XLJxEOL5JTOTLtwCOqxqxtFfu14zvKMrLMUiGV36bhzV5nfRPSSvroQiL6t36hV87qDIDlub946I5ud5QQIZC3EEzHaIy04dBugzgWIBf009Hkb5C7IdIYdEb5wH80HMVhurYzet587o6GinzDBOip4Bz7JIznXkqxIEHUN77hsUM8pMyH8twWettemxqB3PIOMvr7Aog9AIl1QhCYXC1HX97G5tp7OTlUfQOwtZZt5gvtMkOJ9UwgXZrRSDRc8pcCgmFZhGsCalBmIC08HCA40P7r5pcEn2PdBA6tt5oHma19OMBra3NwlkZVUVfIql643VPuvDLNiDtdR1EZhP1vb2t2HsKlGOffG7ql9Y2JWcu2uwjqwVdSzQtlXWM6mEy3xdm3lcJnztQ5Nh7jJ7bYgAb1hODbN9UektcOzYC0e0ZqjPVLY3opxNvYgCk8Bz9clmNXqsvMjBQXJQVb8o0IPMcDjYyhJuG0EevGlAWVq8WGS7JraW22zvlz8SQ4HdgUEJR0VbrsitXqIbIF9S2XGZmtxEsRStAey !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/ZWQHXVE7MW9JXE5N1EGIP6IMEFAGC7LNN6WJCBVKJFKB5QXP6LUZV654ASG7977V

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    ransomwaredarkside
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 2 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 5 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 1 IoCs
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.sample.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:804
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.sample.dll,#1
      2⤵
        PID:1528
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.sample.dll,#1
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.sample.dll,#1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3748
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.sample.dll,#1
          3⤵
          • Enumerates connected drives
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Modifies Control Panel
          • Modifies data under HKEY_USERS
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3776
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.sample.dll,#3 worker0 job0-3776
            4⤵
            • Modifies extensions of user files
            • Drops startup file
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            PID:2912
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.sample.dll,#3 worker1 job1-3776
            4⤵
            • Enumerates connected drives
            PID:416
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:580
    • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
      1⤵
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2148
    • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
      "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3808
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
      1⤵
      • Drops file in Windows directory
      PID:424
    • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
      1⤵
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3268

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Local Settings\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CMXA4BSI\microsoft.windows[1].xml
      MD5

      74e197b237f4a087e01732adb04d1c27

      SHA1

      3622247afb42338d6fea2a06ef679635e0c9ff8d

      SHA256

      73b588af53b943a053db27fe78c94f9cb76842933249a8779e608c4bd1082bef

      SHA512

      35e1092aec7b35a7f5ea21c3e6a059fab6634bb1728860cdc1338287ed54d2851cee77528e3de7d4291345abd79856097fe0df8dd739c5b8d615a1880ba09137

      Download Submit
    • C:\Users\Admin\Local Settings\TileDataLayer\Database\EDB.chk
      MD5

      491e115a0c9f68351173bed86bb984f3

      SHA1

      41e8c77b3cacff9598e5c3e56da92c90db51c1a2

      SHA256

      1b4923e57544a52c6563742c665462ef8a6da514ff0b1f2313826fef9f4d9c4f

      SHA512

      09d38e88220ac65ecbb01752298440217c1c9f4ae7460203287cc869b8589144a01ddd36f6e28efe3730139e4239f744d3a2955131f63a2813229c6fd63518b7

      Download Submit
    • C:\Users\Admin\Local Settings\TileDataLayer\Database\EDB.log
      MD5

      9acbf720171e22b78f8598f0528cb469

      SHA1

      03d95be31556553f8992f0a9cd9897358a016f44

      SHA256

      e10cf0c7dd77d8130d3e3a6b1c8fb3e78236f20776fa2a1a0f0b60dae6e2e921

      SHA512

      5d18d7e89062d7ce1da25ddcdd8be9571eb61ae5e2f917d00bec375ce755abf961ef9824e22438bdca5a83ba049b4f7439da30abd4e8882aed2b4c74e52dc769

      Download Submit
    • C:\Users\Admin\Local Settings\TileDataLayer\Database\EDBtmp.log
      MD5

      b2d1236c286a3c0704224fe4105eca49

      SHA1

      7d76d48d64d7ac5411d714a4bb83f37e3e5b8df6

      SHA256

      5647f05ec18958947d32874eeb788fa396a05d0bab7c1b71f112ceb7e9b31eee

      SHA512

      731859029215873fdac1c9f2f8bd25a334abf0f3a9e1b057cf2cacc2826d86b0c26a3fa920a936421401c0471f38857cb53ba905489ea46b185209fdff65b3b6

      Download Submit
    • C:\Users\Admin\Local Settings\TileDataLayer\Database\vedatamodel.edb
      MD5

      e2427ee165aaefbe7a5088b7089e040d

      SHA1

      51b997c845666b697dc69bd37d8e65e499aa4e24

      SHA256

      c0c9f9e148a5adc44ff82f79420ce79d8b2e46ff834625735fc21d5613dc96ae

      SHA512

      d6cdd6b3cba2a831b06b7884f2eb053235389222099049c47da222a56dd00d203680ed6c0e64d98b722c10727c0c05824c9fa766fb77ebdfab52fb268c3fc89c

      Download Submit
    • C:\Users\Admin\Local Settings\TileDataLayer\Database\vedatamodel.jfm
      MD5

      0c91e02074fe2d614691dd7bac6013e0

      SHA1

      fa26c93457f0cc002c98b01bf7be38ff90d40dc3

      SHA256

      a3a59f5bd493efea04a9fed8aa892854e98cce05fe9e4543aa89144876d18ca0

      SHA512

      4411d8d61fc3c59464bcf5b47faf267594ca0875cdeaf024976c36a83f9888f27d940a6b4ce87bc892821d77ec051acea93d75d4c9fe07b3b737344e2d424509

      Download Submit
    • memory/416-118-0x0000000000000000-mapping.dmp
      Download
    • memory/424-120-0x00000243750C0000-0x00000243750D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/424-121-0x00000243756A0000-0x00000243756A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/424-119-0x0000024375080000-0x0000024375090000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1528-114-0x0000000000000000-mapping.dmp
      Download
    • memory/2912-117-0x0000000000000000-mapping.dmp
      Download
    • memory/3748-115-0x0000000000000000-mapping.dmp
      Download
    • memory/3776-116-0x0000000000000000-mapping.dmp
      Download